Chinese-Made Smartphone Comes With Spyware, Security Firm Says

The Star N9500, a cheap Android-powered smartphone made in China, ships with more than just an 8-megapixel camera and quad-core processor, according G Data, a Germany cyber-security company. The company says it has discovered malicious software—which could be used to track the phone’s user and manipulate the device remotely—embedded in the device.

G Data, which sells anti-virus and cyber-security products, said it discovered a so-called Trojan-horse malware, called Usupay.D, in the phone’s Google Play app store.

It said it fielded several complaints from buyers of the phone and ran tests on a newly purchased device.

G Data said that during testing, it found that the spyware on the smartphone sends phone identification and specification data to an unidentified server located in China.

G Data said the malware could also operate phone functions remotely, like turning on the camera, though it said it found no evidence that had happened in the phone it studied.

It also said that sending data to a Chinese served doesn’t necessarily suggest an attacker targeting the phone is based there.

G Data could not say how the malware ended up on the phone. Shenzhen-based -based manufacturer Tianxing, which makes the phone, wasn’t available for comment. G Data spokesman Thorsten Urbanski said G Data also tried unsuccessfully to contact the manufacturer.

The N9500, similar to the best-selling Samsung Galaxy S4, is a popular low-cost smartphone, pricing on Amazon.co.uk for between £85 ($141) for a new 5.0 inch version to £119.89 for a new 5.7 inch HD version.

Amazon and Google weren’t immediately available for comment.

The malicious software is pre-installed in the so-called firmware, the software that comes with the phone and operates its systems. It can therefore not simply be deleted like a regular app installed from a third-party app store.

The malware program itself was identified by Kaspersky Lab in March 2013. G Data says its analysis is the first time Usupay.D has been discovered bundled with a mobile phone.